Mediating Resource Access Based on a Physical Location of a Mobile Device

ABSTRACT

One or more techniques are provided for causing a location of a screen image associated with a resource to be adjusted on a display device. The adjustment may be based at least in part on determining that a control element receives focus. The resource may be associated with an application, such as an email application that may be hosted remotely from a client device. Access to one or more resources may be controlled or mediated. Access rights may be based at least in part on a determination of a geographic location of a client device. When the client device is located in a safe area, the client device may be provided access to the resource. When the client device is not located in a safe area, the client device might not be provided access to the resource or might not be provided full access to the resource.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/267,031, filed on Oct. 6, 2011, having the same title, which is anon-provisional of and claims the benefit of U.S. provisionalapplication Ser. No. 61/390,345, filed Oct. 6, 2010, entitled “MEDIATINGRESOURCE ACCESS BASED ON A PHYSICAL LOCATION OF A MOBILE DEVICE.” Eachof the above-identified applications are incorporated herein byreference in its entirety.

FIELD OF THE DISCLOSURE

This disclosure generally relates to displaying remotely executingapplications on client devices. In particular, this disclosure relatesto granting access to resources based on the physical location of aclient device.

BACKGROUND OF THE DISCLOSURE

The proliferation of mobile devices equipped to execute remoteapplications and access remote resources from any location and over anynetwork greatly increases the need to control whether to send remotecontent to a mobile device. Using a mobile device to display remotelyexecuting applications that can potentially access and display sensitiveinformation can pose a security risk. One way to mitigate this risk caninclude only providing the mobile device with access to those resourcesdeemed safe for viewing in a public location. Determining whether amobile device is located within a public location can includedetermining what type of network the mobile device uses to access theremote application and remote resources.

Restricting application and resource access in this way can poseproblems when a user accesses a resource or application using a securenetwork but in an unsecure physical location. For example, the status ofa network as secure might not be indicative of the actual or underlyingconditions, such that in reality access rights should not be provided orgranted to a particular client device.

SUMMARY OF THE DISCLOSURE

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure are directed to methods, apparatuses,computer-readable media, and systems for mediating access to one or moreresources.

Aspects of the disclosure are directed to mitigating security problemsassociated with displaying sensitive information on a device, such as amobile device, when that device is physically located in an unsecurelocation.

Aspects of the disclosure are directed to mediating access toapplications and resources based on a device's (e.g., a mobile device's)physical location. In some embodiments, information associated with adevice's, e.g., a client device's, current location may be received. Oneor more other devices, such as one or more servers, may determinewhether the client device is located in an area that is predetermined tobe a safe area. Responsive to determining that the information indicatesthat the client device is located in an area that is predetermined to bea safe area, the server may cause the client device to be provided withaccess to content, such as remote content comprising remote applicationoutput. In some embodiments, the server may host the remote content. Insome embodiments, the output may comprise draw commands and imagesgenerated by a remote application. In some embodiments, the remotecontent may comprise one or more remote files.

In some embodiments, a determination may be made that a client devicehas changed location. For example, a determination may be made that theclient device has moved from a safe area to an area that is either anunsafe area or not a safe area. Responsive to determining that theclient device has moved from a safe area to an area that is either anunsafe area or not a safe area, access to a resource may be partially orcompletely restricted. In some embodiments, access to a resource may bebased at least in part on one or more conditions, such as a determinedlocation of a client device.

Aspects of the disclosure are directed to causing one or moreapplications to be displayed on a device, such as a mobile device. Theapplications may receive input from a touch screen. The applications maybe displayed within the context of an operating system configured toreceive input via a touch screen. In some embodiments, one or moreapplications may be remotely-generated.

In some embodiments, a focus event may be intercepted or a notificationof a focus event may be received and sent to a device, such as a mobilecomputing device. The focus event may be associated with a remoteapplication executing on a remote computer. The event notification maybe transmitted from the remote computer to the device. In someembodiments, the remote application executing on the remote computer maybe displayed on the device. Upon receiving the event notification, thedevice may alter the display of the remote application.

In some instances, when a particular control or edit field within aremote application receives focus, a virtual keyboard may be displayed,e.g., on a display of a device, such as a mobile device. When thatcontrol or edit field loses focus, the virtual keyboard might be hidden.In some embodiments, when a virtual keyboard is displayed in response toa control or edit field receiving focus, the application may be panned(e.g., scrolled upwards or downwards) to prevent the virtual keyboardfrom covering the control or edit field.

In some embodiments, a zoom level associated with a section of anapplication may be adjusted. The zoom level may be adjusted responsiveto determining that a control or edit field in that section of theapplication has focus. The zoom level adjustment may include zooming inor zooming out. The control may comprise one or more of a list box, acombo box, or other similar control. Zooming in on the section of theapplication housing the control may be accomplished using a native zoomfunction provided by an operating system executing on the device, or acustom zooming function provided by a client executing on the device,e.g. CITRIX RECEIVER/ICA CLIENT. In some embodiments, the methods andsystems described herein may permit using a local slider function inlieu of a slider control that may be provided within the application.

When a user is displaying a remote application, or desktop, the user mayintelligently zoom or pan on the title bar, scroll bar, window edges orother features of a window associated with the remote application. Thus,rather than trying to manually scale these features, the user mayinteract with the remote application in substantially the same way thatthe user would interact with an application modified to execute on thedevice and receive primarily touch screen input. For example, upon auser placing focus on a section of the remote application for apredetermined period of time (e.g. 0.3 seconds), the system may takeadvantage of local auto-zoom controls to auto-zoom to the section of theremote application that received focus. Auto-zooming may include averification of the coordinates of the section of the remote applicationand then zooming to that section. In some embodiments, zooming mayinclude showing a zooming bubble on the device when a user touches acontrol within the remote application.

Aspects of the disclosure are directed to providing a native userexperience for users accessing remote applications through anapplication executing on a device, such as a mobile device. Theapplication executing on the device, in some embodiments, may includeCITRIX RECEIVER published by CITRIX SYSTEMS. In other embodiments, thedevice may include an IPHONE or IPAD.

Aspects of the disclosure are directed to mitigating display problemscreated by trying to display a remote application on a device, such as amobile device. In some embodiments, one or more existing and/ordisplayed applications may be altered to facilitate the display of theremote application so that those facilitating applications properlydisplay the remote application. For example, FIG. 11 illustrates anexample of a properly displayed remote application where the textcontrol of focus 1108 may be scrolled up, located, and/or sizedautomatically so that the a virtual keyboard 1114 does not overlap thetext control and so that a user can view data as it is inputted into thetext control 1108 using the keyboard 1114. In FIG. 11, the keyboard mayautomatically pop up or launch instead of being manually launched.

BRIEF DESCRIPTION OF THE DRAWINGS

The following figures depict certain embodiments, in which likereference numerals refer to like elements. These depicted embodimentsare to be understood as illustrative of the disclosure and not aslimiting in any way.

FIG. 1A illustrates a network environment in which various aspects ofthe disclosure may be implemented.

FIG. 1B and FIG. 1C illustrate computing devices in which variousaspects of the disclosure may be implemented.

FIG. 2A illustrates a system for displaying a plurality of resources ina user-configurable display layout on an external display device.

FIG. 2B illustrates a system for mapping a display of one or moreresources to one or more display devices.

FIG. 2C illustrates a screen shot depicting a system for displaying aplurality of resources in a user-configurable display layout on anexternal display device, wherein the user-configurable display layout isillustratively divided into a grid.

FIG. 2D illustrates a screen shot depicting a system for displaying aplurality of resources in a user-configurable, dynamic display layout onan external display device.

FIG. 3A illustrates a block diagram depicting a plurality of screenspaces provided by a mobile computing device attached to one or moreexternal display devices.

FIG. 3B illustrates a block diagram depicting a mobile computing deviceproviding a plurality of screen spaces.

FIG. 3C illustrates a block diagram depicting a logical representationof a plurality of screen spaces managed by a virtual graphics driver.

FIG. 4 illustrates a block diagram depicting a system for altering thedisplay of a remote application on a mobile device.

FIG. 5 illustrates a flow diagram depicting a method for altering thedisplay of a remote application on a mobile device.

FIG. 6 illustrates a flow diagram depicting a method for mediatingresources based on the physical location of a mobile device.

FIG. 7 illustrates an adjustment of a displayed image in accordance withone or more aspects of this disclosure.

FIG. 8 illustrates an adjustment of a selection tool and display screenin accordance with one or more aspects of this disclosure.

FIG. 9 illustrates access that may be provided to a resource inaccordance with one or more aspects of this disclosure.

FIG. 10 illustrates a restriction that may be imposed on a resource inaccordance with one or more aspects of this disclosure.

FIG. 11 illustrates an adjustment of a displayed image in accordancewith one or more aspects of this disclosure.

DETAILED DESCRIPTION OF THE DRAWINGS

In the following description of the various embodiments, reference ismade to the accompanying drawings, which form a part hereof, and inwhich is shown by way of illustration various embodiments in which oneor more aspects of the disclosure may be practiced. It is to beunderstood that other embodiments may be utilized and structural andfunctional modifications may be made without departing from the scope ofthe present disclosure.

Various connections between elements are discussed in the followingdescription. These connections are general and, unless specifiedotherwise, may be direct or indirect, wired or wireless, and thisspecification is not intended to be limiting in this respect.

In accordance with various aspects of this disclosure, apparatuses,systems, computer-readable media, and methods are described for causinga virtual keyboard to be displayed on a display screen. In someembodiments, the keyboard may be displayed automatically when a control,such as an editable control, receives focus. In some embodiments, aneditable control and/or other aspects of a display may be adjustedresponsive to the display of the keyboard.

In accordance with various aspects of this disclosure, apparatuses,systems, computer-readable media, and methods are described forcontrolling, or selectively providing access to, a resource. In someembodiments, a determination as to whether to grant access to a resourcemay be based at least in part on a location of a device, such as alocation of a mobile device. In some embodiments, one or moreindications may be used in conjunction with a display screen to indicatethat the resource is subject to selective access.

FIG. 1A illustrates a computing environment 101 that may comprise one ormore client machines 102A-102N (generally referred to herein as “clientmachine(s) 102”) that may be in communication with one or more servers106A-106N (generally referred to herein as “server(s) 106”). Installedin between the client machine(s) 102 and server(s) 106 may be one ormore networks, such as a network 104.

In some embodiments, the computing environment 101 may include anappliance. The appliance may be installed between the server(s) 106 andclient machine(s) 102. The appliance may mange client/serverconnections, and in some cases may load balance client connectionsamongst a plurality of backend servers.

The client machine(s) 102 may be referred to as a single client machine102 or a single group of client machines 102, while server(s) 106 may bereferred to as a single server 106 or a single group of servers 106. Insome embodiments a single client machine 102 may communicate with morethan one server 106. In some embodiments, a single server 106 maycommunicate with more than one client machine 102. In some embodiments,a single client machine 102 may communicate with a single server 106.

A client machine 102 may, in some embodiments, be referenced by any oneof the following terms: client machine(s) 102; client(s); clientcomputer(s); client device(s); client computing device(s); localmachine; remote machine; client node(s); endpoint(s); endpoint node(s);or a second machine. The server 106, in some embodiments, may bereferenced by any one of the following terms: server(s), local machine;remote machine; server farm(s), host computing device(s), or a firstmachine(s).

In some embodiments, the client machine 102 may include a virtualmachine. In some embodiments the virtual machine may comprise anyvirtual machine, such as a virtual machine managed by a hypervisordeveloped by XenSolutions, Citrix Systems, IBM, VMware, or any otherhypervisor. In some embodiments, the virtual machine may be managed by ahypervisor executing on a server 106 or a hypervisor executing on aclient 102.

The client machine 102 may in some embodiments execute, operate orotherwise provide an application selected from one or more of thefollowing: software; a program; executable instructions; a virtualmachine; a hypervisor; a web browser; a web-based client; aclient-server application; a thin-client computing client; an ActiveXcontrol; a Java applet; software related to voice over internet protocol(VoIP) communications like a soft IP telephone; an application forstreaming video and/or audio; an application for facilitatingreal-time-data communications; a HTTP client; a FTP client; an Oscarclient; a Telnet client; or any other set of executable instructions.Still other embodiments may include a client device 102 that displaysoutput generated by an application remotely executing on a server 106 orother remotely located machine. In these embodiments, the client device102 may display the application output in an application window, abrowser, or other output window.

As used herein, a desktop refers to a graphical environment or space inwhich one or more applications may be hosted and/or executed. A desktopmay include a graphical shell providing a user interface for an instanceof an operating system in which local and/or remote applications can beintegrated. Applications, as used herein, are programs that executeafter an instance of an operating system (and, optionally, also thedesktop) has been loaded. Each instance of the operating system may bephysical (e.g., one operating system per device) or virtual (e.g., manyinstances of an OS running on a single device). Each application may beexecuted on a local device, or executed on a remotely located device(e.g., remoted).

In some embodiments, server 106 may execute a remote presentationclient, or other client or program, that uses a thin-client orremote-display protocol to capture display output generated by anapplication executing on server 106. Server 106 may transmit theapplication display output to a remote client 102. The thin-client orremote-display protocol may include one or more of: the IndependentComputing Architecture (ICA) protocol manufactured by Citrix Systems,Inc. of Ft. Lauderdale, Fla.; or the Remote Desktop Protocol (RDP)manufactured by the Microsoft Corporation of Redmond, Wash.

The computing environment may include more than one server 106A-106N. Insome embodiments, servers 106A-106N may be logically grouped togetherinto a server farm 106. The server farm 106 may include servers 106 thatare geographically dispersed and logically grouped together, or servers106 that are located proximate to each other and logically groupedtogether. Geographically dispersed servers 106A-106N within a serverfarm 106 may, in some embodiments, communicate using a WAN, MAN, or LAN,for example. In some embodiments, different geographic regions may becharacterized as: different continents; different regions of acontinent; different countries; different states; different cities;different campuses; different rooms; or any combination of the precedinggeographical locations. In some embodiments, the server farm 106 may beadministered as a single entity. In some embodiments, the server farm106 may include multiple server farms 106 and/or be administered as aplurality of entities.

In some embodiments, a server farm 106 may include servers 106 thatexecute a substantially similar type of operating system platform (e.g.,WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash., UNIX,LINUX, or SNOW LEOPARD.) In some embodiments, the server farm 106 mayinclude a first group of servers 106 that execute a first type ofoperating system platform, and a second group of servers 106 thatexecute a second type of operating system platform, where the first andsecond types of operating system platforms may be different platforms.In some embodiments, the server farm 106 may include servers 106 thatexecute different types of operating system platforms.

The server 106, in some embodiments, may be any server type. Forexample, server 106 may be any of the following server types: a fileserver; an application server; a web server; a proxy server; anappliance; a network appliance; a gateway; an application gateway; agateway server; a virtualization server; a deployment server; a SSL VPNserver; a firewall; a web server; an application server or as a masterapplication server; a server 106 executing an active directory; or aserver 106 executing an application acceleration program that providesfirewall functionality, application functionality, or load balancingfunctionality. In some embodiments, a server 106 may be a RADIUS serverthat includes a remote authentication dial-in user service. Inembodiments where the server 106 comprises an appliance, the server 106may be an appliance manufactured by any one of the followingmanufacturers: the Citrix Application Networking Group; Silver PeakSystems, Inc; Riverbed Technology, Inc.; F5 Networks, Inc.; or JuniperNetworks, Inc. Some embodiments may include a first server 106A thatreceives a request from a client machine 102, forwards the request to asecond server 106B, and responds to the request generated by the clientmachine 102 with a response from the second server 106B. The firstserver 106A may acquire an enumeration of applications available to theclient machine 102 as well as address information associated with anapplication server 106 hosting an application identified within theenumeration of applications. The first server 106A may then present aresponse to the client's request using a web interface, and communicatewith the client 102 to provide the client 102 with access to anidentified application. In some embodiments, the first server 106A maycommunicate directly with the client 102 to provide client 102 withaccess to the identified application.

The server 106 may, in some embodiments, execute one or more of thefollowing applications: a thin-client application using a thin-clientprotocol to transmit application display data to a client; a remotedisplay presentation application; any portion of the CITRIX ACCESS SUITEby Citrix Systems, Inc. like the METAFRAME or CITRIX PRESENTATION SERVERor XenApp or XenDesktop; MICROSOFT WINDOWS Terminal Servicesmanufactured by the Microsoft Corporation; or an ICA client, developedby Citrix Systems, Inc. In some embodiments, a server 106 may include anapplication server such as: an email server that provides email servicessuch as MICROSOFT EXCHANGE manufactured by the Microsoft Corporation; aweb or Internet server; a desktop sharing server; a collaborationserver; or any other type of application server. In some embodiments, aserver 106 may execute any one of the following types of hosted serversapplications: GOTOMEETING provided by Citrix Online Division, Inc.;WEBEX provided by WebEx, Inc. of Santa Clara, Calif.; or MicrosoftOffice LIVE MEETING provided by Microsoft Corporation.

Client machines 102 may, in some embodiments, include a client node thatseeks access to resources provided by a server 106. In some embodiments,the server 106 may provide clients 102 or client nodes with access tohosted resources. The server 106 may, in some embodiments, function as amaster node such that it communicates with one or more clients 102 orservers 106. In some embodiments, the master node may identify andprovide address information associated with a server 106 hosting arequested application, to one or more clients 102 or servers 106. Insome embodiments, the master node may include a server farm 106, aclient 102, a cluster of client nodes 102, or an appliance.

One or more clients 102 and/or one or more servers 106 may transmit dataover a network 104 installed between machines and appliances within thecomputing environment 101. The network 104 may comprise one or morenetworks and/or sub-networks, and may be installed between anycombination of the clients 102, servers 106, computing machines andappliances included within the computing environment 101. In someembodiments, the network 104 may include one or more of: a local-areanetwork (LAN); a metropolitan area network (MAN); a wide area network(WAN); a primary network 104 comprised of multiple sub-networks 104located between the client machines 102 and the servers 106; a primarypublic network 104 with a private sub-network 104; a primary privatenetwork 104 with a public sub-network 104; or a primary private network104 with a private sub-network 104. In some embodiments, network 104 mayinclude one or more of the following network types: a point to pointnetwork; a broadcast network; a telecommunications network; a datacommunication network; a computer network; an ATM (Asynchronous TransferMode) network; a SONET (Synchronous Optical Network) network; a SDH(Synchronous Digital Hierarchy) network; a wireless network; a wirelinenetwork; or a network 104 that includes a wireless link where thewireless link may be an infrared channel or satellite band. The networktopology of the network 104 may differ within different embodiments. Insome embodiments, network topologies that may be utilized may include: abus network topology; a star network topology; a ring network topology;a repeater-based network topology; or a tiered-star network topology. Insome embodiments, network 104 may include mobile telephone networks thatuse a protocol to communicate among mobile devices, where the protocolmay include one or more of the following: AMPS; TDMA; CDMA; GSM; GPRSUMTS; or any other protocol able to transmit data among mobile devices.

Illustrated in FIG. 1B is a computing device 100. In some embodiments,client machine 102 and/or server 106 illustrated in FIG. 1A may bedeployed as and/or executed on any embodiment of the computing device100 illustrated and described herein. Included within computing device100 may be a system bus 150 that may communicate with one or more of thefollowing components: a central processing unit 121; a main memory 122;a storage memory 128; an input/output (I/O) controller (CTRL) 123;display device(s) 124A-124N; an installation device 116; and a networkinterface 118. In some embodiments, the storage memory 128 may includeone or more of: an operating system, software routines, and a clientagent 120. The I/O controller 123, in some embodiments, may be connectedor communicatively coupled to a key board 126, and a pointing device127. Some embodiments may include I/O controller 123 connected to, orcommunicatively coupled to, one or more input/output devices 130A-130N.In some embodiments, computing device 100 may include firmware,hardware, and/or software to facilitate a determination of a location ofcomputing device. For example, GPS functionality may be provided bycomputing device 100 to facilitate determining a location of computingdevice 100.

FIG. 1C illustrates another embodiment of computing device 100, wherethe client machine 102 and/or server 106 illustrated in FIG. 1A may bedeployed as and/or executed on any embodiment of the computing device100 illustrated and described herein. Included within the computingdevice 100 of FIG. 1C is a system bus 150 that may communicate with oneor more of the following components: a bridge 170, and a first I/Odevice 130A. In some embodiments, the bridge 170 may be in communicationwith main processing unit 121, such as a main central processing unit.Processing unit 121 may communicate with one or more of a second I/Odevice 130B, a main memory 122, and a cache memory 140. Included withinthe processing unit 121 may be one or more I/O ports, a memory port 103,and/or a main processor.

Embodiments of the computing machine 100 may include a processing unit121 comprising one or more of the following component configurations:logic circuits that respond to and process instructions fetched from themain memory unit 122; a microprocessor unit, such as: those manufacturedby Intel Corporation; those manufactured by Motorola Corporation; thosemanufactured by Transmeta Corporation of Santa Clara, Calif.; theRS/6000 processor such as those manufactured by International BusinessMachines; a processor such as those manufactured by Advanced MicroDevices; or any other combination of logic circuits. In someembodiments, processing unit 121 may include any combination of thefollowing: a microprocessor, a microcontroller, a central processingunit with a single processing core, a central processing unit with twoprocessing cores, or a central processing unit with more than oneprocessing core.

While FIG. 1C illustrates a computing device 100 that includes a singleprocessing unit 121, in some embodiments the computing device 100 mayinclude any number of processing units 121. In some embodiments, thecomputing device 100 may store or access executable firmware or otherexecutable instructions that, when executed, direct one or moreprocessing units 121 to execute instructions. The executableinstructions may apply to one or more pieces of data. In someembodiments, instructions may execute simultaneously, or substantiallysimultaneously, on more than one processing unit 121. In someembodiments, the computing device 100 may store or access executablefirmware or other executable instructions that, when executed, directone or more processing units to each execute a section of a group ofinstructions. For example, each processing unit 121 may be instructed toexecute a portion of a program or a particular module within a program.

In some embodiments, the processing unit 121 may include one or moreprocessing cores. For example, the processing unit 121 may have twocores, four cores, eight cores, etc. In some embodiments, the processingunit 121 may comprise one or more parallel processing cores. Theprocessing cores of the processing unit 121 may, in some embodiments,access available memory as a global address space. In some embodiments,memory within the computing device 100 may be segmented and assigned toa particular core within the processing unit 121. In some embodiments,one or more processing cores or processors in the computing device 100may access local memory. In some embodiments, memory within thecomputing device 100 may be shared amongst one or more processors orprocessing cores, while other memory may be accessed by particularprocessors or subsets of processors. In some embodiments, such asembodiments where the computing device 100 includes more than oneprocessing unit, the multiple processing units may be included in asingle integrated circuit (IC). In some embodiments, multiple processorsmay be linked together by an internal high speed bus, which may bereferred to as an element interconnect bus.

In some embodiments, such as embodiments where the computing device 100includes one or more processing units 121, or a processing unit 121including one or more processing cores, the processors may execute asingle instruction simultaneously on multiple pieces of data (SIMD). Insome embodiments, multiple processors may execute multiple instructionssimultaneously on multiple pieces of data (MIMD). In some embodiments,the computing device 100 may include any number of SIMD and MIMDprocessors.

In some embodiments, the computing device 100 may include a graphicsprocessor or a graphics processing unit (not shown). The graphicsprocessing unit may include any combination of firmware, software, andhardware. The graphics processing unit may input graphics data andgraphics instructions, render a graphic from the inputted data andinstructions, and output the rendered graphic. In some embodiments, thegraphics processing unit may be included within the processing unit 121.In some embodiments, the computing device 100 may include one or moreprocessing units 121, where at least one processing unit 121 may bededicated to processing and rendering graphics.

In some embodiments, processing unit 121 may communicate with cachememory 140 via a secondary bus also known as a backside bus. In someembodiments, the computing machine 100 may include a processing unit 121that may communicate with cache memory 140 via the system bus 150. Thesystem bus 150 may, in some embodiments, also be used by the processingunit to communicate with more than one type of I/O device 130A-130N. Insome embodiments, the system bus 150 may include one or more of thefollowing types of buses: a VESA VL bus; an ISA bus; an EISA bus; aMicroChannel Architecture (MCA) bus; a PCI bus; a PCI-X bus; aPCI-Express bus; or a NuBus. In some embodiments, an I/O device130A-130N may include a video display (e.g., a display device 124) thatcommunicates with the processing unit 121. In some embodiments, thecomputing machine 100 may include a processor 121 connected to an I/Odevice 130A-130N via one or more of the following connections:HyperTransport, Rapid I/O, or InfiniBand. In some embodiments, thecomputing machine 100 may include a processor 121 that may communicatewith a first I/O device (e.g., I/O device 130A) using a localinterconnect bus and a second I/O device (e.g., I/O device 130B) using adirect connection.

In some embodiments, computing device 100 may include a main memory unit122 and cache memory 140. One or more of the memories may include one ormore of: SRAM; BSRAM; or EDRAM. In some embodiments, cache memory 140and a main memory unit 122 may include one or more of: Static randomaccess memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM); Dynamicrandom access memory (DRAM); Fast Page Mode DRAM (FPM DRAM); EnhancedDRAM (EDRAM), Extended Data Output RAM (EDO RAM); Extended Data OutputDRAM (EDO DRAM); Burst Extended Data Output DRAM (BEDO DRAM); EnhancedDRAM (EDRAM); synchronous DRAM (SDRAM); JEDEC SRAM; PC100 SDRAM; DoubleData Rate SDRAM (DDR SDRAM); Enhanced SDRAM (ESDRAM); SyncLink DRAM(SLDRAM); Direct Rambus DRAM (DRDRAM); Ferroelectric RAM (FRAM); or anyother type of memory. In some embodiments, processing unit 121 mayaccess the main memory 122 via: a system bus 150; a memory port 103; orany other connection, bus, or port that allows the processing unit 121to access memory 122.

In some embodiments, support may be provided for one or moreinstallation devices 116, such as the following types of installationdevices: a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drivesof various formats, USB device, a bootable medium, a bootable CD, abootable CD for GNU/Linux distribution such as KNOPPIX®, a hard-drive orany other device suitable for installing applications or software. Insome embodiments, applications may include a client agent 120, or anyportion of a client agent 120. The computing device 100 may include astorage device 128 that may include one or more hard disk drives and/orone or more redundant arrays of independent disks. The storage devicemay be configured to store an operating system, software, programsapplications, or at least a portion of the client agent 120. In someembodiments, an installation device 116 may be used as the storagedevice 128.

The computing device 100 may include a network interface 118 tointerface to a Local Area Network (LAN), Wide Area Network (WAN) or theInternet through a variety of connections including, but not limited to,standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56kb,X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM,Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or somecombination of any or all of the above. Connections may also beestablished using a variety of communication protocols (e.g., TCP/IP,IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed DataInterface (FDDI), RS232, RS485, IEEE 802.11, IEEE 802.11a, IEEE 802.11b,IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). Thecomputing device 100 may include a network interface 118 able tocommunicate with additional computing devices 100′ via any type and/orform of gateway or tunneling protocol, such as Secure Socket Layer (SSL)or Transport Layer Security (TLS), or the Citrix Gateway Protocolmanufactured by Citrix Systems, Inc. Versions of the network interface118 may comprise one or more of: a built-in network adapter; a networkinterface card; a PCMCIA network card; a card bus network adapter; awireless network adapter; a USB network adapter; a modem; or any otherdevice suitable for interfacing the computing device 100 to a networkcapable of communicating and performing the various acts describedherein.

In some embodiments, I/O devices 130A-130N may include one or more of: akeyboard 126; a pointing device 127; mice; trackpads; an optical pen;trackballs; microphones; drawing tablets; video displays; speakers;inkjet printers; laser printers; and dye-sublimation printers; or anyother input/output device able to perform the various acts describedherein. An I/O controller 123 may, in some embodiments, connect tomultiple I/O devices 130A-130N to control the one or more I/O devices.Some embodiments of the I/O devices 130A-130N may be configured toprovide storage or an installation medium 116. In some embodiments, oneor more of I/O devices 130A-130N may provide a universal serial bus(USB) interface for receiving USB storage devices such as the USB FlashDrive line of devices manufactured by Twintech Industry, Inc. In someembodiments, an I/O device 130 may include or provide a bridge betweenthe system bus 150 and an external communication bus, such as: a USBbus; an Apple Desktop Bus; an RS-232 serial connection; a SCSI bus; aFireWire bus; a FireWire 800 bus; an Ethernet bus; an AppleTalk bus; aGigabit Ethernet bus; an Asynchronous Transfer Mode bus; a HIPPI bus; aSuper HIPPI bus; a SerialPlus bus; a SCI/LAMP bus; a FibreChannel bus;or a Serial Attached small computer system interface bus.

In some embodiments, the computing machine 100 may connect to multipledisplay devices 124A-124N. In some embodiments, the computing device 100may connect to a single display device 124. In some embodiments, thecomputing device 100 may connect to display devices 124A-124N that arethe same type or form of display, or to display devices that aredifferent types or forms. Embodiments of the display devices 124A-124Nmay be supported and enabled by one or more of the following: one ormultiple I/O devices 130A-130N; the I/O controller 123; a combination ofI/O device(s) 130A-130N and the I/O controller 123; any combination ofhardware and software able to support a display device 124A-124N; anytype and/or form of video adapter, video card, driver, and/or library tointerface, communicate, connect or otherwise use the display devices124A-124N. The computing device 100 may in some embodiments beconfigured to use one or multiple display devices 124A-124N, and theseconfigurations may include: having multiple connectors to interface tomultiple display devices 124A-124N; having multiple video adapters, witheach video adapter connected to one or more of the display devices124A-124N; having an operating system configured to support multipledisplays 124A-124N; using circuits and software included within thecomputing device 100 to connect to and use multiple display devices124A-124N; and executing software on the main computing device 100 andmultiple secondary computing devices to enable the main computing device100 to use a secondary computing device's display as a display device124A-124N for the main computing device 100. In some embodiments, thecomputing device 100 may include multiple display devices 124A-124Nprovided by one or more secondary computing devices and connected to themain computing device 100 via a network.

In some embodiments, the computing machine 100 may execute any operatingsystem. For example, the computing machine 100 may execute any of thefollowing operating systems: versions of the MICROSOFT WINDOWS operatingsystems such as WINDOWS 3.x; WINDOWS 95; WINDOWS 98; WINDOWS 2000;WINDOWS NT 3.51; WINDOWS NT 4.0; WINDOWS CE; WINDOWS XP; WINDOWS VISTA;and WINDOWS 7; the different releases of the Unix and Linux operatingsystems; any version of the MAC OS manufactured by Apple Computer; OS/2,manufactured by International Business Machines; any embedded operatingsystem; any real-time operating system; any open source operatingsystem; any proprietary operating system; any operating systems formobile computing devices; or any other operating system. In someembodiments, the computing machine 100 may execute multiple operatingsystems. For example, the computing machine 100 may execute PARALLELS oranother virtualization platform that may execute or manage a virtualmachine executing a first operating system, while the computing machine100 may execute a second operating system different from the firstoperating system.

In some embodiments, the computing machine 100 may be embodied in one ormore of the following devices: a computing workstation; a desktopcomputer; a laptop or notebook computer; a server; a handheld computer;a mobile telephone; a portable telecommunication device; a media playingdevice; a gaming system; a mobile computing device; a netbook; a deviceof the IPOD family of devices manufactured by Apple Computer; any one ofthe PLAYSTATION family of devices manufactured by the Sony Corporation;any one of the Nintendo family of devices manufactured by Nintendo Co;any one of the XBOX family of devices manufactured by the MicrosoftCorporation; or any other type and/or form of computing,telecommunications or media device that is capable of communication andthat has sufficient processor power and memory capacity to perform theacts described herein. In some embodiments the computing machine 100 mayinclude a mobile device, such as any one of the following mobiledevices: a JAVA-enabled cellular telephone or personal digital assistant(PDA), such as the i55sr, i58sr, i85s, i88s, i90c, i95cl, or the im1100,all of which are manufactured by Motorola Corp; the 6035 or the 7135,manufactured by Kyocera; the i300 or i330, manufactured by SamsungElectronics Co., Ltd; the TREO 180, 270, 600, 650, 680, 700p, 700w, or750 smart phone manufactured by Palm, Inc; any computing device that hasdifferent processors, operating systems, and input devices consistentwith the device; or any other mobile computing device configured toperform the acts described herein. In still other embodiments, thecomputing device 100 may include any one of the following devices: anyone series of Blackberry, or other handheld device manufactured byResearch In Motion Limited; the iPhone manufactured by Apple Computer;Palm Pre; a Pocket PC; a Pocket PC Phone; or any other handheld mobiledevice.

In some embodiments, the computing device 100 may have differentprocessors, operating systems, and input devices consistent with thedevice. For example, the computing device 100 may include a TREO 180,270, 600, 650, 680, 700p, 700w, or 750 smart phone manufactured by Palm,Inc. In some embodiments, the TREO smart phone may be operated under thecontrol of the PalmOS operating system and may include a stylus inputdevice as well as a five-way navigator device.

In some embodiments the computing device 100 may include a mobiledevice, such as a JAVA-enabled cellular telephone or personal digitalassistant (PDA), such as the i55sr, i58sr, i85s, i88s, i90c, i95cl, orthe im1100, all of which are manufactured by Motorola Corp. ofSchaumburg, Ill., the 6035 or the 7135, manufactured by Kyocera ofKyoto, Japan, or the i300 or i330, manufactured by Samsung ElectronicsCo., Ltd., of Seoul, Korea. In some embodiments, the computing device100 may include a mobile device manufactured by Nokia of Finland, or bySony Ericsson Mobile Communications AB of Lund, Sweden.

In some embodiments, the computing device 100 may include a Blackberryhandheld or smart phone, such as the devices manufactured by Research InMotion Limited, including the Blackberry 7100 series, 8700 series, 7700series, 7200 series, the Blackberry 7520, or the Blackberry Pearl 8100.In some embodiments, the computing device 100 may include a smart phone,Pocket PC, Pocket PC Phone, or other handheld mobile device supportingMicrosoft Windows Mobile Software. Moreover, the computing device 100may include any workstation, desktop computer, laptop or notebookcomputer, server, handheld computer, mobile telephone, any othercomputer, or other form of computing or telecommunications device thatis capable of communication and that has sufficient processor power andmemory capacity to perform the operations described herein.

In some embodiments, the computing device 100 may include a digitalaudio player. In some embodiments, the computing device 100 may includea digital audio player such as the Apple IPOD, IPOD Touch, IPOD NANO,and IPOD SHUFFLE lines of devices, manufactured by Apple Computer ofCupertino, Calif. In some embodiments, the digital audio player mayfunction as both a portable media player and as a mass storage device.In some embodiments, the computing device 100 may include a digitalaudio player, such as the DigitalAudioPlayer Select MP3 players,manufactured by Samsung Electronics America, of Ridgefield Park, N.J.,or the Motorola m500 or m25 Digital Audio Players, manufactured byMotorola Inc. of Schaumburg, Ill. In some embodiments, the computingdevice 100 may include a portable media player, such as the Zen VisionW, the Zen Vision series, the Zen Portable Media Center devices, or theDigital MP3 line of MP3 players, manufactured by Creative TechnologiesLtd. In some embodiments, the computing device 100 may include aportable media player or digital audio player supporting file formatsincluding, but not limited to, MP3, WAV, M4A/AAC, WMA Protected AAC,AIFF, Audible audiobook, Apple Lossless audio file formats and .mov,.m4v, and .mp4 MPEG-4 (H.264/MPEG-4 AVC) video file formats.

In some embodiments, the computing device 100 may comprise a combinationof devices, such as a mobile phone combined with a digital audio playeror portable media player. In some embodiments, the computing device 100may include a Motorola RAZR or Motorola ROKR line of combination digitalaudio players and mobile phones. In some embodiments, the computingdevice 100 may include an iPhone smartphone, manufactured by AppleComputer of Cupertino, Calif.

Referring to FIG. 2A, a block diagram of a system is illustrated. Thesystem may cause one or more resources, such as one or more portions orone or more windows of a display screen or graphic, to be displayed onone or more display devices. In brief overview, the system may include adevice, such as a mobile computing device 102 that may communicate withone or more external display devices 202 a-n. FIG. 2A shows a mobilecomputing device 102 with a native display 201, although devices withoutnative displays may be used in some embodiments. The mobile computingdevice 102 may execute a plurality of resources 204 a-n (collectively,204). A window management service or system 206 and a virtual graphicsdriver 208 may manage the locations and sizes of output data associatedwith each of the plurality of resources 204. In some embodiments, adisplay of output data may be based at least in part on auser-configurable display layout. In some embodiments, the mobilecomputing device 102 may transmit the output data associated with one ormore of the resources 204 to an external display device 202. In someembodiments, the mobile computing device 102 may transmit the outputdata upon establishing a connection with the external display device202. In some embodiments, the mobile computing device 102 may transmitthe output data associated with each of the plurality of resources 204to the device's native display 201. In some embodiments, the mobilecomputing device 102 may transmit the output data associated with one ormore of resources 204 to the native display 201 and transmit the outputdata associated with other of the plurality of resources 204 to theexternal display devices 202 a-n.

As described above, mobile computing device 102 may be associated with aplurality of resources 204. In some embodiments, one or more of theresources 204 may include an executable resource. Briefly referring toFIG. 4, in some embodiments, one or more of the resources 204 may behosted by, or stored at, one or more devices, such as a remote computer401. In some embodiments, the mobile computing device 102 may include aclient 102 as described above in connection with FIGS. 1A-1C. In someembodiments, the mobile computing device 102 may display the output dataassociated with a resource 204 a in a plurality of resources 204 a-nexecuted by the mobile computing device 102. In some embodiments, themobile computing device 102 may display the output data associated witheach of the plurality of resources 204.

In some embodiments, a resource in the plurality of resources 204 mayinclude, without limitation, a data file, an executable file,configuration files, an application, a desktop environment (which mayitself include a plurality of applications for execution by the user), acomputing environment image (such as a virtual machine image), anoperating system software or other applications needed to execute acomputing environment image, and/or one or more windows or displaygraphics, that may optionally be subject to modification, re-location,or re-sizing in accordance with one or more aspects of this disclosure.In some embodiments, the resource may be subject to conditional orselective access in accordance with one or more aspects of thisdisclosure.

In some embodiments, the mobile computing device 102 may include awindow management service 206 allowing an external display device 202 todisplay the output data associated with one or more of resources 204executed on the mobile computing device 102. In some embodiments, thewindow management service 206 may allow one or more resources running onthe mobile computing device 102 to be viewed on an external displaydevice 202 or the native display 201 at substantially the same time. Insome embodiments, an output of resource 204 may be viewed exclusively onthe native display 201 or external display device 202. In someembodiments, the window management service 206, in conjunction with avirtual graphics driver 208, may manage the display layout of thewindows displayed on the external display device 202 and the nativedisplay 201. In some embodiments, the virtual graphics driver 208 may bea driver-level component that manages a virtual screen frame bufferstoring output data that may be displayed by the native display 201 onthe mobile computing device 102 or an external display device 202. Insome embodiments, the window management service 206, in conjunction withthe virtual graphics driver 208, may manage the boundaries and size of ascreen space used to display output data and on which display device theoutput data is displayed.

In some embodiments, an external display device 202 may receive outputdata associated with one or more of resources 204 and display the outputdata in a user-configurable display layout. In some embodiments, theexternal display device 202 may include a dock to which the mobilecomputing device 102 connects. In some embodiments, the external displaydevice 202 may include a receiver for communicating with the mobilecomputing device 102 wirelessly, for example, via BLUETOOTH, Wi-Fi orother networking protocols, as described above in connection with FIGS.1A-1C. In some embodiments, the external display device 202 may includea display device 124 as described above in connection with FIG. 1B-1C.

Referring to FIG. 2B, a block diagram of a system is illustrated. Thesystem may be configured to map the display of one or more resources 204of the mobile computing device 102 on one or more display devices 201and/or 202. In some embodiments, the window management service 206 maymanage a virtual screen space 210. The virtual screen space 210 may mapto the native display 201 and one or more external display devices 202.The window management service 206 may position output data associatedwith the user interfaces of one or more resources 204 on the virtualscreen space 210 to specify where each user interface will be displayed.In some embodiments, the window management service 206 may position theoutput data according to one or more user preferences. In someembodiments, the window management service 206 may position the outputdata according to a policy. In some embodiments, the window managementservice 206 may position the output data based on the resource 204associated with the output data.

The window management service 206 may communicate with the virtualgraphics driver 208 to transmit output data associated with userinterfaces of resources 204 to the native display 201 and one or moreexternal display devices 202. In some embodiments, the window managementservice 206 may transmit output data and associated coordinates from thevirtual screen space 210 to the virtual graphics driver 208. In someembodiments, the virtual graphics driver 208 may store the output datain a virtual screen frame buffer. In some embodiments, the virtualgraphics driver 208 may transmit the entries in the virtual screen framebuffer to the native display 201 and external display devices 202. Insome embodiments, the virtual graphics driver 208 may transmit an entryin the virtual screen frame buffer to a native display 201 or anexternal display device 202 based on the position of the entry in theframe buffer.

FIG. 2C illustrates a screen shot of a display layout. In someembodiments, the display layout may be user configurable. An externaldisplay device 202 may display the output data of one or more of theresources 204 in the layout of FIG. 2C. In some embodiments, the outputdata of the resources 204 may be displayed in a grid display layout asshown. The grid display layout may include one or more cells in anarrangement. A cell may display output data associated with a resource.In some embodiments, more than one cell displays output data associatedwith the same resource. In some embodiments, a cell may display outputdata associated with one or more resources. In some embodiments,multiple cells may display output data associated with a particularresource. For example, multiple cells may display respective portions ofoutput data associated with a particular resource.

In some embodiments, the cells may be uniformly sized. In someembodiments, the cells may be different sizes. The cells may be arrangedin any configuration. In some embodiments, the cells may be arranged inrows, columns, or both. A cell may have a descriptor associated with thecell's position in the grid. The descriptor may indicate the position ofa cell within a row. In the screen shot depicted in FIG. 2C, the cellfor resource 204 a may have the descriptor “1-1,” the cell for resource204 b may have the descriptor “1-2,” the cell for resource 204 c mayhave the descriptor “1-3,” the cell for resource 204 d may have thedescriptor “2-1,” and the cell for resource 204 n may have thedescriptor “2-2.” In other embodiments, the cells may be numbered, e.g.“Cell 1,” “Cell 2,” etc. However, any system of choosing descriptorsknown to those of ordinary skill in the art may be used.

In some embodiments, the window management service 206 may configure agrid display layout according to the resources 204 being displayed onthe native display 201 or the external display device 202. In someembodiments, the service 206 may configure a grid display layoutaccording to the number of resources 204 being displayed. In someembodiments, the service 206 may configure a grid display layoutaccording to the size or amount of content in the user interfaces of theresources 204. For example, if an external display device 202 displaysfour resources with comparable amounts of content, the window managementservice 206 may configure a grid display layout with four uniform cells.In another example, if an external display device 202 displays fourresources and one resource includes three times as much content as theothers, the window management service 206 may configure a grid displaylayout with three uniform cells in a first row and a single cell in asecond row. The single cell in the second row may be three times as wideas the cells in the first row. In some embodiments, the windowmanagement service 206 may configure a grid display layout to reserve acell for displaying information about the resources being displayed,such as a menu of the resources. In some embodiments, the windowmanagement service 206 may configure a grid display layout to reserve acell for allowing a user to configure the grid display layout.

Referring to FIG. 2D, a screen shot of a display layout is illustrated.The display layout may be user configurable. The layout may provide orinclude a dynamic display layout in which the external display device202 may display the output data associated with the plurality ofresources 204. In some embodiments, windows on the external displaydevice 202 that display output data for resources 204 may be dynamicallypositioned and sized. The window management service 206 may position auser interface for a resource at a default position and with a defaultsize chosen according to a policy, the resource 204, or any other input,specification, or method. The window management service 206 may orderoverlapping user interfaces such that higher-order user interfacesobscure lower-order user interfaces. The window management service 206may transmit output data to the virtual graphics driver 208 reflectingthe obfuscation. The user may re-position or re-size a window by, forexample, clicking and dragging the window or a window edge. In someembodiments, the virtual graphics driver 208 may detect the user'schange to the window, and transmit information about the user's changeto the window management service 206. The window management service 206may process the change and transmit updated output data to the virtualgraphics driver 208. In some embodiments, the user may move the userinterface for a resource 204 to any location on a native display 201 orexternal display device 202. In some embodiments, the user may move theuser interface for a resource 204 to a different display device. In someembodiments, the updated output data may indicate that one userinterface's size has been increased or location has been adjusted toobscure another user interface. In some embodiments, the updated outputdata may indicate that one user interface's size has been decreased orlocation has been adjusted such that more of another user interfaceshall be visible.

Referring to FIG. 3A, a block diagram is illustrated. As shown in FIG.3A, a mobile computing device 102 may provide one or more virtual screenspaces 210. The mobile computing device may be attached to, or coupledto, one or more external display devices.

As shown in FIG. 3A, and as described above, the mobile computing device102 may include a virtual graphics driver 208 and a virtual screen 210.The virtual screen 210 may include a plurality of virtual screen spaces310 and 312 a-n. Virtual screen space 310 may be a native display screenspace for the native display 201 on the mobile computing device 102. Theother virtual screen spaces 312 a-n may be extended screen spaces thatcorrespond to the displays of external display devices 202. The windowmanagement service 206 and virtual graphics driver 208 may manage thevirtual screen 210. In some embodiments, the virtual graphics driver 208may use a virtual screen frame buffer to manage the mobile computingdevice's native display 201 and change the native display's 201 screenresolution. In some embodiments, the virtual graphics driver 208 may usea virtual screen frame buffer to manage an extended screen space 312 andto change a resolution of the extended screen space 312.

In some embodiments, the virtual graphics driver 208 may allocate andmanage one or more of virtual screen spaces 310, 312 a-n and virtualscreen frame buffers. In some embodiments, one or more virtual screenspaces and virtual screen frame buffers may have a resolutionindependent of the other screen spaces and frame buffers. In someembodiments, output data associated with one or more of the plurality ofresources 204 may reside within any of the virtual screen spaces 310,312 a-n. In some embodiments, one or more of the extended screen spaces312 a-n may be associated with at least one external display device 202,optionally dependent on the capabilities of the device.

In some embodiments, the window management service 206 and the virtualgraphics driver 208 may allocate and manage the display, on a pluralityof external display devices 202, of output data associated with aplurality of resources. In some embodiments, output data associated witha resource 204 a may be displayed on a mobile computing device 102,output data associated with a resource 204 b may be displayed on oneexternal display device 202 a, and output data associated with aresource 204 c may be displayed on another external display device 202b. In some embodiments, the window management device 206 may identifyone of the external display devices 202 for displaying output datagenerated by a resource 204 a based upon a type of the resource 204 a.For example, the window management service 206 may determine that a typeof resource rendering a video may display on a television screen, whilea type of resource rendering a word processing application may render ona display of a laptop computer.

Referring to FIG. 3B, a block diagram of a mobile computing device 102is illustrated. As shown, mobile computing device 102 may provide avirtual screen 210 with virtual screen spaces 310, 312 a-n ofpotentially varying resolutions. As shown in FIG. 3B, the virtual screen210 may include a native display screen space 310 corresponding to thenative display 201 of the mobile computing device 102 with a resolutionof 320 pixels×240 pixels. The virtual screen 210 may include an extendedscreen 312 a corresponding to the display of an external display device202 with a resolution of 1024 pixels×768 pixels, an extended screen 312n-1 corresponding to the display of an external display device 202 witha resolution of 800 pixels×600 pixels, and an extended screen 312 ncorresponding to the display of an external display device 202 with aresolution of 640 pixels×480 pixels. In some embodiments, the virtualscreen 210 may include a native display screen space 310 and any numberof extended screens 312 of any resolution. In some embodiments, theentire virtual screen space 210 may be mapped into a single virtualscreen frame buffer. In some embodiments, virtual screen space 210 maymap into multiple buffers.

Referring to FIG. 3C, a block diagram of a representation of a pluralityof virtual screen spaces managed by a virtual graphics driver isillustrated. The representation of FIG. 3C may be an actual or a logicalrepresentation. In some embodiments, the virtual graphics driver 208 maymanage multiple virtual screen spaces with different resolutions in avirtual screen frame buffer. In some embodiments, the native display 201of the mobile computing device may be the primary display and theexternal display device 202, corresponding to the extended screen 312 a,may serve as a secondary display. In some embodiments, output dataassociated with resources 204 on the native display screen space 310 maybe displayed on the native display 201 and output data associated withresources 204 on the extended screen space 312 a may be displayed on theexternal display device 202 associated with the extended screen spaces312 a.

Illustrated in FIG. 4 is a system. The system of FIG. 4 may correspondto, or operate in conjunction with, the system described in connectionwith FIG. 2B. The system of FIG. 4 may include a mobile computing device102, such as any mobile device described herein. The mobile computingdevice 102 may execute and/or store one or more resources 204. In someembodiments the resources 204 may include applications executing on themobile computing device 102. In some embodiments, at least one resourcemay include an operating system executing on the mobile device 102 suchthat the other resources execute within the context of the operatingsystem. The mobile device 102 may execute a windows management service206 that may communicate with other applications executing on the mobiledevice 102. The windows management service 206 may communicate with avirtual graphics driver 208 and the resources or applications 204executing on the mobile device 102. The mobile computing device 102 mayexecute a virtual graphics driver 208, and may store a buffer forgenerating a virtual screen space 210 that may include a buffer for anative display screen space 210 a. The mobile device 102 may communicatewith a native display 201 of the mobile device 102 on which applicationoutput generated by a resource 204 may be displayed. The mobile device102 may communicate with a remote computer 501 that may execute one ormore resources 405A-405N (generally referred to as remote resources 405)which may, in some embodiments, be remote applications 405. The remotecomputer 401 may execute a remoting client 410.

In some embodiments, resources 204 executing on the mobile device 102may be applications configured to accept data inputted by a touchscreen. For example, the resources 204 may be modified versions ofapplications that typically do not receive data from a touch screen.These modified applications 204 may receive data inputted by a user viaa touch screen of the mobile device 102, and may be modified toaccommodate typical touch screen input functions like a virtual keyboardand a virtual scroll menu. For example, a version of SAFARI, which is aweb browser published by APPLE, may be modified to pan up when a userselects or gives focus to an edit control such as a text box. SAFARI maybe modified to pan the application upwards to accommodate the virtualkeyboard displayed over the browser and so that a user may view the textbox whilst typing on the virtual keyboard.

In some embodiments, the mobile device 102 may communicate with a remotecomputer 401. The remote computer 401 may include a server, a client, orany other computing machine. In some embodiments the remote computer 401may include a remote application server that executes one or moreapplications. The mobile device 102 may communicate with the remotecomputer 401 over a virtual channel. In some embodiments, the virtualchannel may be established over a network and may be referred to as acontrol virtual channel. In some embodiments, the virtual channel may bea seamless virtual channel. A control virtual channel may be used toremote control commands and other miscellaneous commands while theseamless virtual channel may be used to remote application windows, ataskbar, a systray, etc. Thus, in some embodiments, one or more virtualchannels may remote different functions and content. In someembodiments, the virtual channel may be established by a windowmanagement service 206 executing on the mobile device 102. In someembodiments, the virtual channel may be established by both the windowmanagement service 206 and a remoting client 410 executing on the remotecomputer 401. The virtual channel may, in some embodiments, facilitatecommunication sent using one or more protocols, such as the ICAprotocol.

In some embodiments, the remote computer 401 may execute a remotingclient 410. The remoting client 410 may be referred to as a controlvirtual channel or a seamless virtual channel and may be a remotingapplication that corresponds to the virtual channel used by the client410 to transmit data to the mobile device 102 and receive data from themobile device 102. In some embodiments, the remoting client 410 maycollaborate with the window management service 206 to modify remoteapplications 405 for remote display on the mobile device 102. The windowmanagement service 206, may include CITRIX RECEIVER published by CITRIXSYSTEMS. In some embodiments, the remoting client 410 may communicatewith the remote applications 405 to intercept event notifications anddata that may be generated by the remote applications 405. Inparticular, the remoting client 410 may perform event-based detection ofone or more controls using application programming interfaces providedby one or more of the remote applications 405. For example, in someembodiments at least one remote application 405 (e.g., 405B) may includean operating system executing on the remote computer 401. In someembodiments, the remoting client 410 may intercept events generated bycontrols within the remote application 405B using application programinterfaces made available by the operating system 405B. The controls maybe selected by the remoting client 410 based on whether the control hasfocus or is on a predetermined list of controls of interest. A control,in some embodiments, may include an object within an application that auser interacts with, e.g. a text box, drop down menu, radio button,button, check box, edit box, combo box, etc. The control may further bereferred to as a field. In some embodiments, the remoting client 410 mayintercept the control-generated events by registering with acommunication interface associated with the application 405B to receivenotifications when a focus-change event occurs within the application405B. For example, the remoting client 410 may receive a notificationwhen an object or control receives focus, e.g. a user selects a text boxwithin the application.

The remoting client 410 may communicate with the window managementservice 206 over a virtual channel. In some embodiments, the remotingclient 410 may send intercepted event notifications over the virtualchannel to the window management service 206. In other embodiments, theremoting client 410 may transmit location coordinates for a control, thetype of control, the contents of a control, the window handle of acontrol, and/or parent window information for a control. The windowmanagement service 206 may receive information from the remoting client410 and adjust display of an application 204 on the native display 201using the received information. Adjusting the display may includepanning, zooming or otherwise modifying the display of the application204.

In some embodiments, the remote computer 401 may execute one or moreresources 405. These resources, in some embodiments, may includeapplications. In other embodiments, at least one resource may include anoperating system executing on the remote computer 401. In thoseembodiments, the other applications 405 may execute within the contextof the operating system. In some instances, the applications 405 may bereferred to as remote applications 405.

Illustrated in FIG. 5 is a method 500 in accordance with one or moreaspects of this disclosure. The method of FIG. 5 may be used to alter adisplay of a remote application on a mobile device. An applicationexecuting on a remote computer may intercept a focus event notificationgenerated in response to a control within a remote application receivingfocus (step 502). The remote computer may forward the received orintercepted focus event notification to a mobile computing device (step505). Upon receiving the focus event notification, an applicationexecuting on the mobile computing device may modify a display of theremote application in response to receiving the notification andaccording to information associated with the event (step 510).

According to one or more aspects of this disclosure, an applicationexecuting on a remote computer may intercept a focus event notification(step 502). The application may, in some embodiments, be a remotingclient 410 executing on a remote computer 401. In some embodiments, theapplication may be any application executing on a remote computer 401and able to hook into function calls issued by an application executingon the remote computer 401. The application executing on the remotecomputer 401, in some embodiments, may include a component insideWFSHELL,EXE (ICACTLS.DLL). In some embodiments, the application may bean application managing a control or seamless virtual channelestablished between the remote computer 401 and the mobile device 102.The focus event notification may, in some embodiments, include a callissued by a remote application executing on the remote computer 401 whena control or field within the remote application receives focus, e.g. auser selects or otherwise highlights the control or field. In someembodiments, the control may include any object or control, such as: anedit box, a textbox, a memo field, a combo box, a drop-down menu, aslider, a list box, or any other similar object or control. The functionmay, for example, include a function such as ‘focus combo box” or anyother function that generates a notification indicating a controlreceived focus. In some embodiments, the application may use event-baseddetection facilitated by WINDOWS 7 UI AUTOMATION application programinterfaces. In some embodiments, the application may use event-baseddetection facilitated by any API. In some embodiments, the applicationmay register for notifications provided by these APIs using a COMinterface associated with a particular control and/or a particularfunction.

In some embodiments, the application may forward the intercepted focusevent notification to the mobile device 102 (step 505). The applicationmay forward the notification upon intercepting or receiving thenotification. In some embodiments, the application may send additionalinformation to the mobile device 102 in response to receiving thenotification. This additional information may include: the type ofcontrol that received focus (e.g. combo box, textbox); the name or anidentifier of the control that received focus; the location orcoordinates of the control within the application (e.g. where in theapplication output the control is located); the content of the control(e.g. values assigned to the control, strings associated with thecontrol, etc.); a window handle of the control; a window identifier ofthe window displaying the control; the location or coordinates of theparent window displaying the control; or any additional information thatmay be used to determine the location of the control within theapplication output displayed by the mobile device 102.

An application executing on the mobile device 102 may modify the displayof the remote application in response to receiving the focus eventnotification and information associated with the control (step 510). Insome embodiments, this application may include a window managementservice 206 executing on the mobile device 102. In other embodiments,the application may include any application able to receive event andcontrol information from a remote computer 401 and use it to modifyoutput displayed on the native display 201. In response to receiving thefocus event notification, the window management service 206 may modifythe display of the remote application by panning the display upward toaccommodate a virtual keyboard or virtual picker, may zoom to a sectionof the display, may display a zoom bubble, or may perform anycombination of these actions. In some embodiments, the window managementservice 206 may modify the display of the remote application byauto-zooming.

In some embodiments, the method may further include determining whethera virtual keyboard or picker hides the control having focus beforemodifying the display of the remote application. In some embodiments,the window management service 206 may determine whether the virtualkeyboard or picker hides the control, and upon determining that thecontrol is hidden, the window management service 206 may pan or zoom thedisplay of the application to permit the control to become visible. Insome embodiments, a client executing on the mobile device 102, or thewindow management service 206, may cause the virtual keyboard or virtualpicker to be displayed in response to input from a user. For example, auser may select or actuate a control displayed on the mobile device 102.This control, upon actuation, may cause a client on the mobile device102 to display the virtual keyboard or virtual picker. Thus, display ofthe virtual keyboard or virtual picker might not be automatic and mayrequire user input. In some embodiments, the client executing on themobile device 102 may be modified so that when focus is given to aneditable field displayed within a remote application window displayed onthe mobile device 102, the client may automatically display a virtualkeyboard or virtual picker. Similarly, when focus is removed from theeditable field, the client may hide the virtual keyboard or virtualpicker, optionally automatically.

In some embodiments, the method may include modifying the display of theapplication by including control values in the display of theapplication. For example, upon receiving the event notification andcontrol information, the window management service 206 may determinewhether the control is a type of control having associated values. Upondetermining that the control has associated values, the windowmanagement service 206 may modify the display of the remote applicationto include the received values. For example, if one or more strings areassociated with a combo box having received focus, the window managementservice 206 may modify the display to display a combo box that includesthose strings. In other aspects, a client executing on the mobile device102, or a window management service 206, may use local controls nativeto the mobile device 102 to display a remote control or to displaygraphics representative of a remote control. For example, when a remoteWindows Combo Box is presented in an application, the client may displayand/or use a local iPad picker control. Thus, the remote applicationdisplayed on the mobile device 102 may look like a native mobile device102 application and may include at least some native functionality.

The method 500, in some embodiments, may include an additional step oftransmitting actions on a control on the mobile device 102 back to theremote application. For example, Application A executing on the remotecomputer 401 may generate application output which may be displayed inan application output window on the remote computer 401. The applicationoutput generated by Application A may be transmitted to the mobiledevice 102 where it may be displayed within an application output windowon the mobile device 102. The application output window on the mobiledevice 102 may be referred to as a local application window and maydisplay remotely generated application output. In some embodiments, whenan editable combo box field within the remotely generated applicationoutput receives focus, a client or a window management service 206 mayintercept the on-focus event and may display or invoke a native, virtualpicker control, e.g. the iPad picker control. Within the localapplication window and amongst the remotely generated applicationoutput, the native, virtual picker control may be displayed. A user mayinteract with the native control to generate input. Once the control isused to generate input, the client or window management service 206 maytransmit the input to the remote computer 401. Upon receiving the input,the remote computer 401 may inject the control input into an actualcontrol displayed within the actual application output generated byApplication A. Injection of the received control input may beaccomplished using a Windows UI Automation API.

Illustrated in FIG. 6 is a method 600. Method 600 may be used to mediateresource and application access based on a physical location of a mobiledevice. In some embodiments, an application or service executing on aremote computer/server may receive location information for a mobiledevice (step 602). This location information may include GPS coordinatesobtained by the mobile device and sent by the mobile device to theremote computer/server. In some embodiments, the mobile device mayobtain the GPS coordinates using an application executing on the mobiledevice, and the application may communicate with GPS device(s) orcomponent(s), which may receive communications from one or moresatellites, to obtain the coordinate location of the mobile device atthat point in time. Thus, the GPS coordinates may be time-based in thesense that they may be the coordinates for the mobile device at aparticular point in time. Upon receiving the location information forthe mobile device, one or more applications or services may determinewhether the location of the mobile device is a ‘safe’ location (step604). The one or more applications or services that may make thedetermination in connection with step 604 may be running on a remotecomputer or server in order to enhance security. The determination ofstep 604 may be made by comparing the location coordinates of the mobiledevice to a list of ‘safe’ coordinates. Step 604 may include determiningwhether the coordinates correspond to a region deemed ‘safe.’ A ‘safe’location, in some embodiments, may be any location where, when a mobiledevice is located at that location, the mobile device may accesssensitive and secure information and applications. When a determinationis made that the mobile device is in a ‘safe’ location, one or moreapplications or services may modify output of an application (step 606)so that the mobile device is provided with access to secure andsensitive information. The one or more applications or services that mayperform the modification of step 606 may be distinct from the one ormore applications or services that may perform the determination of step604. When a determination is made that the mobile device is not in a‘safe’ location, the one or more services may modify output of anapplication (step 706) so that the mobile device is restricted fromaccessing secure and sensitive information. Upon modifying the output,the output may be transmitted to the mobile device (step 608) where itmay be displayed to a user.

Aspects of this disclosure may be directed to improving or enhancing auser's experience in connection with, e.g., one or more applications.FIG. 7 illustrates a before-and-after perspective of a display screen.In particular, in connection with the “before” screen shot on the top(#1) of FIG. 7, a user may have manually entered input that caused avirtual keyboard 702-1 to pop-up and be displayed on screen. Virtualkeyboard 702-1 may hide or obscure one or more screen images 708, suchas a section 708-1 that the user intended to edit with keyboard 702-1.

In contrast, and in connection with the “after” screen shot on thebottom (#2) of FIG. 7, screen images 708 may be panned in accordancewith one or more aspects of this disclosure. For example, section 708-2may be panned upwards, allowing the user continued visibility and accessto the entirety of section 708-2. A virtual keyboard 702-2 (which may besimilar to keyboard 702-1) may be displayed automatically when a portionof screen images 708 or section 708-2 receives focus. For example, auser selection of section 708-2, or an element or field includedtherein, may cause keyboard 702-2 to be displayed.

FIG. 8 illustrates another “before-and-after” user experience orperspective, this time applied to a list of boxes that may be displayedinside of an internet browsing application (e.g., INTERNET EXPLORER),optionally running in a remote session. In the “before” screen shot(#1), a user may have to manually zoom in to pick an entry from a list810-1 included in a window 804-1. In contrast, in the “after” screenshot (#2) that may have been generated using one or more aspects of thisdisclosure, a client or window management service may automaticallydisplay a native picker control that may be used to pick or select fromitems listed in a list 810-2 of a window 804-2. In some aspects, thepicker control may be displayed responsive to determining that aneditable field within an application received focus. Relative to window804-1, window 804-2 may be a zoomed in version. The client or windowmanagement service may facilitate any number of operations, such as azoom in or zoom out, to facilitate viewing, selection, or use. Theoperations may be initiated automatically in response to a list, orother portion of a display or window, receiving focus.

Aspects of this disclosure are directed to controlling, regulating, ormediating access to one or more resources. In some embodiments, adevice, such as a client device, may determine or report locationinformation. For example, a client device may determine its own locationusing GPS techniques. The client device may report its determinedlocation, such as its GPS coordinates, to one or more devices, such asone or more servers. The one or more servers may control or mediateaccess to one or more resources depending on the location of the clientdevice. The client device may include one or more mobile devices.

As described above, the client device may obtain GPS locationinformation for itself. Upon obtaining its physical location, the clientdevice may transfer the physical location information to one or moredevices, such as a computer. This computer may include a remote computerand/or a remote server. The client device may connect to the computer toaccess resources and applications, such as an email client or emailand/or other resources (e.g., documents, individual or aggregated dataelements, applications, websites, etc). An application executing on thecomputer may compare the physical location of the client device with alist of safe locations, e.g. a predetermined coordinate listing orlocation listing. If the computer determines that the client device isin a “safe” location then the client device may be given access to oneor more resources/applications, e.g. email.

FIG. 9 illustrates a screen shot of a client device display screen. InFIG. 9, three emails in a user's email inbox are shown. All threeresources/emails may be displayed normally, and a user may click on anyof the emails to view the full state of the email. The top email mayhave been flagged as sensitive by the sender, Donovan Hackett, using anemail application's privacy feature. For example, Donovan may haveselected one or more privacy controls or features using a graphical userinterface (GUI) associated with an email application when preparing theemail with the subject “Cost reports” shown in FIG. 9.

In some embodiments, additional features may be used in connection withthe email from Donovan Hackett to indicate that privacy features areassociated with it. For example, a colored flag or a padlock icon may bedisplayed to indicate to the user of the client device that privacycontrols have been selected by the sender in connection with the email.If the client device is in a “safe” location, then the flag may be agreen color or the padlock may be represented in an “unlocked” state,thereby indicating to the user that the user has access (e.g., fullaccess) to the email. Any number of indications could be used to conveyprivacy status information associated with an email or other resource.For example, when a user browsing or scrolling through her inbox ofemails highlights a particular email with privacy controls associatedwith it, the client device may play an audio message that describes theprivacy controls associated with the highlighted email.

Continuing the above example, if the user of the client device uses theclient device in a location that is determined as not being a “safe”location, the user might not be able to access one or more emailsflagged as sensitive. In some embodiments, the email may be disabled andif the user selects the email, it might not open. As shown in FIG. 10,the top email from Donovan Hackett that may be flagged as sensitive mayshown as being grayed out or otherwise shaded, and a small padlock iconmay be displayed (in a “locked” state) on the email to indicate itsunavailability. This may be done in response to the client device beinglocated in an unsafe location. In some embodiments, an inaccessible orunavailable email might not even appear in the display screen if theclient device is not in a “safe” location. Such features may be usefulto preclude an unauthorized user from learning of the existence of theemail, the subject of the email, the sender of the email, or any otherdetails associated with the email.

In some embodiments, a client device that might be unable to determineor report location information (e.g., GPS location information) may betreated as if it is always in an unsafe location. Providing for suchtreatment may help to ensure that security associated with an email isnot compromised. In some embodiments, an e-mail application may beconfigured to permit senders to specify locations in which the recipientmay or may not view the e-mail.

In some embodiments, a location could be defined as a geographicalregion whose boundary is defined by a sequence of GPS coordinates. Thisgeographical region description may further include some specificationfor a line between adjacent points in a sequence of GPS coordinates.

In some embodiments, a set or group of predetermined and/or predefinedregions of potential interest (e.g. legal jurisdictions such as acountry, continent, city, county or state) may be included or specified.These regions may be designated as safe or unsafe. In some embodiments,one or more administrators or personnel, may restrict access on thebasis of unsafe locations rather than determine whether a location issafe. In some embodiments, a group of users may provide feedback as towhether a particular location is safe or unsafe. A network or serviceprovider or operator may determine whether a particular location is safeor unsafe based at least in part on the feedback.

In some embodiments, location information (e.g., GPS locationinformation) may serve as an input to a policy. A policy engine may makeone or more decisions, based at least in part on the policy, to controla type or level of access to a resource (e.g., an application). In someembodiments, authentication to a network (e.g., a corporate network) orto one or more servers, databases, or repositories, may depend on aclient device's location. For example, successful authentication throughan access gateway or to servers on the network might be dependent on thelocation information provided by the client device.

In some embodiments, one or more restrictions may be imposed on data orcontent, such as an electronic document, based on a client device'slocation. For example, one or more policies (such as SmartAccesspolicies) may use location information to decide whether to and how togrant access to various resources. Content owners or providers whogenerally provide public access may restrict a portion of the accessbased on an actual geographic location defined by location coordinates(e.g., GPS coordinates) rather than an IP address. A contentowner/provider may want to restrict content for any number of reasons.For example, it may be desirable to restrict content to a specificpurpose or event, e.g. allowing consumption at a specifically locatedevent such as a corporate meeting or a court case. In some embodiments,a determination may be made that a client device is within a thresholddistance of an event, and access to a resource may be based on thedetermination. Enforcing a policy of non-consumption of event coveragewithin a region “local” to the event may help to ensure that in-personor live attendance remains high. For example, a football team mayenforce a non-consumption policy in proximity to the team's stadium inorder to help promote ticket sales. As another example, excluding accessto a broadcast or other details of an event within a threshold distanceof the event may comprise predetermining that a region within thethreshold distance of the event is an unsafe area. One or more policiesor restrictions may help to control content that should not be consumedoffsite (e.g., sensitive SmartAuditor recordings or financialdocuments).

In some embodiments, vendors, administrators, other personnel, or usersmay want to restrict the availability of certain resources (e.g.,applications) to users within certain legal jurisdictions, perhapsbecause they are/are not compliant with regulations in force withinthose regions (e.g., European data privacy laws or crypto exportrestrictions), or with license conditions. A filtering of applicationpublication or transmittal of application output data based on theclient device location may be used to restrict access to a resource.Thus, resources might not be launched or opened when access isrestricted. For use cases such as smooth roaming, session reconnection,or session sharing, a new location may provide the impetus to hide or toclose applications that are running when a reconnection occurs and adetermination is made that the new location does not have the samepermissions as the previous location.

In some embodiments, policy decisions may serve as an input to, or helpdrive, a business model. For example, an application licensing agreementor a consumption-based service charge agreement may be established ormodified based on one or more policy decisions. An end user in a firstlocation may cause the consumption of a license from a first pool, whilean end user in a second location may cause the consumption of a licensefrom a second pool. Similarly two users in two different locations maybe charged different usage-based charges for using the same or a similarservice. Such features may enable vendors to provide various priceoffers for different markets.

In some embodiments, a determination may be made whether to record aresource, such as a session or an application in a session. Terms andconditions associated with the recording may also be determined. Forexample, a recording application, such as SmartAuditor, mayautomatically decide whether to record a resource presented on aparticular channel. In some embodiments, a determination may be madewhether to record specific applications or whether to record specificchannels of information. Such decisions may be used to influence howrecordings are treated. For example, a length of a recording or aretention period for the recording may be determined. Decisions may bemotivated by considerations of the kinds of location-based risk andcompliance concerns held by an enterprise, or by legal considerations.For example, certain jurisdictions might not allow recordings under anyor certain circumstances, or may constrain the types of information thatmay be recorded.

While certain exemplary embodiments have been described and shown in theaccompanying drawings, it is to be understood that such embodiments aremerely illustrative of and not restrictive on the aspects describedherein. Additionally, it is possible to implement the embodimentsdescribed herein or some of its features in hardware, programmabledevices, firmware, software or a combination thereof. Aspects of thedisclosure may be embodied in a processor-readable storage medium ormachine-readable medium such as a magnetic (e.g., hard drive, floppydrive), optical (e.g., compact disk, digital versatile disk, etc), orsemiconductor storage medium (volatile and non-volatile).

Aspects of this disclosure may readily be applied to, and adapted to beoperative on, one or more communication systems. Those communicationsystems may include computer networks, television networks, satellitenetworks, telephone and cellular networks, and the like.

Although not required, various aspects described herein may be embodiedas a method, a data processing system, and/or as a transitory and/ornon-transitory computer-readable medium storing executable instructions.Accordingly, those aspects may take the form of an entirely hardwareembodiment, an entirely software embodiment, an entirely firmwareembodiment, or an embodiment combining software, firmware and hardwareaspects. The functionality may be resident in a single computing device,or may be distributed across multiple computing devices/platforms, themultiple computing devices/platforms optionally being connected to oneanother via one or more networks. Moreover, the structural componentsdescribed herein may be distributed amongst one or more devices,optionally within a common housing or casing.

Various signals representing content, data, information, or events asdescribed herein may be transferred between a source and a destinationin the form of electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, and/or wireless transmissionmedia (e.g., air and/or space).

The various methods and acts may be operative across one or morecomputing servers, databases, and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a database, a client computer,etc.). As discussed herein, a resource (e.g., an application, data or acontent item, etc.) may be distributed to intermediary/networkcomponents and client-side devices at various times and in variousformats. The distribution and transmission techniques described hereinmay leverage existing components and infrastructure to minimize powerdissipation, operational complexity, footprint size, user and managementinvolvement, amongst other factors and costs.

The methodological acts and processes described herein may be tied toparticular machines or apparatuses. For example, one or more portions ofa display screen may be adjusted by a computer (e.g., a server) and/or aclient device (e.g., a mobile device) to accommodate a virtual keyboardor other data entry tool when a displayed control receives focus. Asanother example, access to one or more resources at a client device maybe controlled by a computer. More generally, one or more apparatuses mayinclude one or more processors and memory storing instructions that,when executed, cause the one or more apparatuses to perform themethodological acts and processes described herein. Furthermore, themethodological acts and processes described herein may perform a varietyof functions including transforming an article (e.g., (1) a portion of adisplay screen optionally including a control element, (2) a resourcesubject to privacy or access controls, etc.) into a different state orthing (e.g., (1) an adjusted portion of a display screen accommodating avirtual keyboard or other data entry tool, (2) a controlled resource,etc.).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the figures may be performed inother than the recited order, and that one or more steps illustrated maybe optional in accordance with aspects of the disclosure.

What is claimed is:
 1. A method comprising: executing, by a firstcomputing device, an application on behalf of a second computing device,resulting in an application resource being hosted by the first computingdevice for the second computing device in connection with execution ofthe application, wherein the application resource includes an indicationof one or more authorized locations in which access to the applicationresource is authorized; receiving information indicating a location ofthe second computing device; determining that the location of the secondcomputing device is a safe location at least by comparing the locationof the second computing device to at least one of the one or moreauthorized locations; and responsive to determining that the location ofthe second computing device is a safe location, providing, by the firstcomputing device, the second computing device with access to theapplication resource and transmitting application output data indicativeof the application resource to the second computing device.
 2. Themethod of claim 1, wherein the application resource includes one or moreemails.
 3. The method of claim 1, wherein the application output dataindicative of the application resource includes draw commands and imagesgenerated by the application.
 4. The method of claim 1, wherein theapplication resource includes one or more remote files.
 5. The method ofclaim 1, further comprising: receiving, at the first computing device,information indicating a second location of the second computing device;determining that the second location of the second computing device isan unsafe location; and responsive to determining that the secondlocation of the second computing device is an unsafe location,restricting access to the application resource.
 6. The method of claim5, further comprising: transmitting graphical or audio data to thesecond computing device indicating that access to the applicationresource is restricted.
 7. The method of claim 5, further comprising:causing the application resource to be removed from a display screenassociated with the second computing device responsive to restrictingaccess to the application resource.
 8. The method of claim 1, whereinthe information indicating the location of the second computing deviceincludes GPS location information of the second computing device.
 9. Themethod of claim 1, wherein determining that the location of the secondcomputing device is a safe location includes determining that thelocation of the second computing device is within a threshold distanceof a currently occurring event.
 10. The method of claim 1, wherein theapplication resource includes an email, wherein the email includes theindication of the one or more authorized locations, and the indicationof the one or more authorized locations includes an indication of atleast one location in which a recipient of the email is authorized toaccess the email.
 11. An apparatus, comprising: a processor; and memorystoring executable instructions that, when executed by the processor,cause the apparatus to: execute an application on behalf of a computingdevice, resulting in an application resource being hosted by theapparatus for the computing device in connection with execution of theapplication, wherein the application resource includes an indication ofone or more authorized locations in which access to the applicationresource is authorized; receive information indicating a location of thecomputing device; determine that the location of the computing device isa safe location at least by comparing the location of the computingdevice to at least one of the one or more authorized locations; andresponsive to determining that the location of the computing device is asafe location, provide the computing device with access to theapplication resource and transmit application output data indicative ofthe application resource to the computing device.
 12. The apparatus ofclaim 11, wherein the application resource includes one or more emails.13. The apparatus of claim 11, wherein the application output dataindicative of the application resource includes draw commands and imagesgenerated by the application.
 14. The apparatus of claim 11, wherein theapplication resource includes one or more remote files.
 15. Theapparatus of claim 11, wherein the executable instructions, whenexecuted by the processor, cause the apparatus to: receive informationindicating a second location of the computing device, determine that thesecond location of the computing device is an unsafe location, andresponsive to determining that the second location of the computingdevice is an unsafe location, restrict access to the applicationresource.
 16. The apparatus of claim 15, wherein the executableinstructions, when executed by the processor, cause the apparatus to:transmit graphical or audio data to the computing device indicating thataccess to the application resource is restricted.
 17. The apparatus ofclaim 15, wherein the executable instructions, when executed by theprocessor, cause the apparatus to: cause the application resource to beremoved from a display screen associated with the computing deviceresponsive to restricting access to the application resource.
 18. Theapparatus of claim 11, wherein the information indicating the locationof the computing device includes GPS location information of thecomputing device.
 19. The apparatus of claim 11, wherein causing theapparatus to determine that the location of the computing device is asafe location includes causing the apparatus to determine that thelocation of the computing device is within a threshold distance of acurrently occurring event.
 20. A method comprising: executing, by afirst computing device, a first application on behalf of a secondcomputing device, resulting in a first application resource being hostedby the first computing device for the second computing device inconnection with execution of the first application, wherein the firstapplication resource includes an indication of one or more authorizedlocations in which access to the first application resource isauthorized; executing, by the first computing device, a secondapplication on behalf of a third computing device, resulting in a secondapplication resource being hosted by the first computing device for thethird computing device in connection with execution of the secondapplication, wherein the second application resource includes anindication of one or more authorized locations in which access to thesecond application resource is authorized; receiving informationindicating a location of the second computing device; determining thatthe location of the second computing device is a safe location at leastby matching the location of the second computing device to at least oneof the one or more authorized locations in which access to the firstapplication resource is authorized; responsive to determining that thelocation of the second computing device is a safe location, providing,based at least in part on a consumption of a first license, the secondcomputing device with access to the first application resource andtransmitting application output data indicative of the first applicationresource to the second computing device; receiving informationindicating a location of third computing device; determining that thelocation of the third computing device is a safe location at least bymatching the location of the third computing device to at least one ofthe one or more authorized locations in which access to the secondapplication resource is authorized; and responsive to determining thatthe location of the third computing device is a safe location,providing, based at least in part on a consumption of a second license,the third computing device with access to the second applicationresource and transmitting application output data indicative of thesecond application resource to the third computing device.